apache proxy server

8/10/2019 Apache Proxy Server

1/31

Configuring a Linux Apache Proxy Server for

Use with Supplier

James J. MorrowNorCal OAUG Training Day

Santa Clara Convention Center

January 17, 2007


2/31

2007 Solution Beacon, LLC. All Rights Reserved.2

Introduction

The following will be covered

References and Definition

Purpose of a Proxy Server

Reverse Proxy Options

The Selected Reverse Proxy Option

Metalink Note uthors Choice

mod_rewrite/url firewall purpose

Building the Reverse Proxy Server

Configuring the URL Firewall

Creating the External Webtier

Adjusting Configuration Files

Environment Diagram

Updating the External Webtier Context File

Updating All Webtier Context File


3/31


References and Definition

Presentation Reference

Metalink Note:287176.1 (DMZ Configuration with OracleE-Business Suite 11i)

Is the note still relevant?Several implementations

Reverse Proxy Server Definition

A reverse proxy server is an intermediate server that sitsbetween a client and the actual web server and makesrequests to the web server on behalf of the client. Theclient is unaware of the presence of the reverse proxy


4/31


Purpose of a Proxy Server

Why use a proxy server?

Adds a level of isolation between the client and theactual server

Allows using standard web port numbers (80 and 443)on the external interface while running the actual webserver on higher numbered ports thus avoiding havingto start the actual web application server processes as

root. Allows certain rules (or filters) to limit the http requests

that are presented to the actual web server

Optionally allows for caching of contents


5/31


4 Reverse Proxy Options

Which reverse proxy option?

Use Oracle 9i Application Server 1.0.2.2 as shippedwith Oracle Oracle E-Business Suite

Use Oracle Application Server Webcache Use apache httpd from http://httpd.apache.org

Use any of a number of commercially available reverseproxies, which often provide some level of added

security as well.


6/31


The Selected Reverse Proxy Option

Option 3Apache httpd After looking at the pros/cons presented in note

287176.1 option 3 was chosen due to its advantagesand lack of a serious disadvantage pros

Reputable provider of open source software

Available on many platforms

Can be configured and built to only include the required modules

Widely used Web server

Can directly use the URL Firewall as mod_rewrite module can beconfigured with this server

Certified with Oracle E-Business Suite in DMZ configuration

Well Known, Well documented


7/31 2007 Solution Beacon, LLC. All Rights Reserved.7

Metalink Note Authors Choice

The author of the metalink note chose option 3also because

can be built in a minimum configuration

supports HTTP/1.1 for better performance Is well known, and the configuration steps described for

the apache based reverse proxy will be useful whenconfiguring any other reverse proxy


8/31 2007 Solution Beacon, LLC. All Rights Reserved.8

mod_rewrite/url firewall purpose

mod_rewrite and url firewall were mentioned a few slidesprior

mod_rewrite is used for rewriting a URL at the server level, givingthe user output for that final page. So, for example, a user may ask

for http://www.somesite.com/widgets/blue/, but will really be givenhttp://www.somesite.com/widgets.php?colour=blue by the server

A URL Firewall ensures only URLs required for the externallyexposed functionality can be accessed from the internet

Optimally a URL Firewall would be deployed on the reverse proxy

server


9/31 2007 Solution Beacon, LLC. All Rights Reserved.

9


Download apache (2.0.59) from http://httpd.apache.org/

un tar the downloaded TAR balls: tar xzf

Check the tar ball: md5sumc httpd-2.0.59.tar.gz.md5

Configure Apache Put the command mentioned below in a file named runc.sh

I modified the configure command example in the note so theparms were on 1 continuous line

./configure -prefix /dmz \

The configure command will produce several pages of output tothe screen
http://httpd.apache.org/http://httpd.apache.org/



10


adjust the source of mod_proxy.c to ensure thatmod_proxy does not proxy a request to the external webtier before the URL firewall based on mod_rewrite has achance to reject it

ap_hook_translate_name(proxy_trans, aszSucc , NULL,APR_HOOK_FIRST);

aszSucc is a NULL-terminated array of strings thatname modules whose hooks should succeed thisone

cd $HOME/src/httpd-2.0.59 and execute: make

the results of ./httpd -l will differ from the metalink note



11


this is the list received for version 2.0.59

core.c mod_access.c mod_auth.c mod_log_config.cmod_headers.c mod_setenvif.c mod_proxy.c

proxy_connect.c proxy_ftp.c proxy_http.c mod_ssl.cprefork.c http_core.c mod_mime.c mod_dir.cmod_rewrite.c mod_so.c

These 2 additonal modules are delivered with 2.0.59:

proxy_connect.c proxy_ftp.c and are not shown in thelist in appendix D of the metalink document



12


install apache to /dmz

$ umask 022

$ make install

install mod_security, note that mod_security.c doesntexist. So, used mod_security2.c: /dmz/bin/apxsciamod_security2.c

since this is being done as non root, unix sysadmin

must do port translation in the firewall and you mustuse a port other than 80 (modify httpd.conf andapachectl)



13


Sysadmin port translation setup example

User Access VerificationPassword:

Type help or '?' for a list of available commands.pixfirewall> enablePassword: **********pixfirewall# config tpixfirewall(config)# clear xlate interface outsideglobal 123.45.67.89 netmask 255.255.255.255



14


Sysadmin port translation setup example

pixfirewall(config)# static (inside,outside)tcp 123.45.67.89 80 192.168.100.1 4480 netmask

255.255.255.255 0 0pixfirewall(config)# access-list outside_access_in line 6permit tcp any host 123.45.67.89 eq 80pixfirewall(config)# access-group outside_access_in ininterface outsidepixfirewall(config)# exitpixfirewall# exitLogoffConnection closed by foreign host.


15/31



start the server using apachectl (w/o ssl)

/dmz/bin/apachectl start

Verify it is running on port 4480

netstat -lntp | sort -t: +1nActive Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 :::4480 :::* LISTEN 22797/httpd

Login via: http:///index.html.en


16/31



stop apache: /dmz/bin/apachectl stop

setup a self signed certificate for testing purposesthese may have changed with the new version

$ cd /dmz/conf $ umask 022

$ mkdir ssl.key

$ mkdir ssl.crt

$ mkdir ssl.crl


17/31



setup a self signed certificate for testing purposes

$ openssl req -new -x509 -days 30 -keyout ssl.key/server.key -out ssl.crt/server.crt -subj '/CN=Test-Only Certificate'

Generating a 1024 bit RSA private key

............++++++

...........++++++

writing new private key to 'ssl.key/server.key'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

$ chmod 600 ssl.key/server.key # private key


18/31



start apache with ssl: /dmz/bin/apachectl start

Verify it is running on port 4438

verify: netstat -lntp | sort -t: +1nActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 :::4483 :::* LISTEN 1654/httpd

tcp 0 0 :::4480 :::* LISTEN 1654/httpd

also verify via browser specifying http and https in

your url


19/31




20/31



configure the runtime settings in the configurationfiles

Configure Apache httpd (on port 4480)

Configure mod_ssl and certificate (on port 4438) Configure mod_proxy (pass entire URL space to

external webtier)

Configure mod_security


21/31



cp $IAS_ORACLE_HOME/Apache/Apache/conf/url_fw.conf /dmz/conf

edit /dmz/conf/url_fw.conf:

double check to ensure the STATIC, COMMON and LOCAL blocks are uncommented, did

not Configure Initial Page

UNCOMMENT POS (since this is for iSupplier):

================================================================

Include URLs for product POS (iSupplier Portal)

================================================================

RewriteRule ^/OA_HTML/jsp/pos/suppreg/SupplierRegister\.jsp$ - [L]

RewriteRule ^/OA_HTML/jsp/pos/registration/RegistrationReply\.jsp$ - [L]

RewriteRule ^/OA_HTML/AppsChangePassword\.jsp$ - [L]


22/31



edit /dmz/conf/url_fw.conf

uncomment HELP:

#================================================================

# Include PLS Help -

RewriteRule /OA_HTML/jsp/fnd/fndhelp\.jsp$ - [L]

RewriteRule ^/pls/[^/]*/fnd_help.search$ - [L]RewriteRule /pls/[^/]*/fnd_help.Advanced_Search_Page$ - [L]

RewriteRule /pls/[^/]*/fndgfm/fnd_help.get/(.*) - [L]


23/31


Creating the External Webtier

Create external webtier

Clone internal middle tier to external web-tier box

Enable only web portion by adjusting tier tags in context file($APPL_TOP/admin/

Named extweb.mycompany.net

Connect the dots (rp proxy server, ext tier)

Per DMZ doc, update hierarchy type

Update node trust level

Update list of responsibilities Update home page node to frame work


24/31



The metalink note provides downloads of 2 files withappropriate configuration settings. They have to bemodified to reflect your paths: You will have to modifythe file to reflect your host and domain names and the

location for /dmz. Once you have modified the abovetwo configuration files and copied them to /dmz/conf/ itis time to test the proxy


25/31



The assumptions made while creating theseconfig files are:

the reverse proxy will be accessed via the hostname

reversep.mycompany.net the E-Business Suite external webtier is called

extweb.mycompany.net

the server admin is [email protected]

the apache proxy was configured and installed to /dmz


26/31


Environment Diagram

Placement of RP Server

https

4438

http

4480

http

8015

Sqlnet

1523client

Reverseproxy +

urlfirewall

+ modsecurity

11iexternalweb tier

database

reversep.mycompany.net extweb.mycompany.net


27/31


Updating the External Webtier ContextFile

Update the Oracle E-Business Suite Context File (non-sslexample) Use OAM or modify the File name:

$APPL_TOP/admin/_.xml (make sure you back itup before modifying)reversep

mycompany.net

4480

http

http://reversep.mycompany.net:4480/oa_servlets/AppsLogin


28/31


Updating All Webtier Context Files

Update the Oracle E-Business Suite Context FileRun autoconfig on each applications middle tier

Additional SYSADMIN tasks

set profile: POS: External URLhttp://reversp.mycompany.net:4480

Set profile: POS: Internal URLhttp://appserver.mycompany.net:4015

Exec: $POS_TOP/patch/115/sql/pos_upg_usr.sql

See metalink note 308271.1 for additional options.Note that no additional patches are if you are atrelease 11.5.10 or 11.5.10.2
http://reversp.mycompany.net:4480/http://appserver.mycompany.net:4015/http://appserver.mycompany.net:4015/http://reversp.mycompany.net:4480/


29/31


Conclusion

In summary, recall that a reverse proxy server isan intermediate server that sits between a clientand the actual web server and makes requests to

the web server on behalf of the client. The clientis unaware of the presence of the reverse proxy

The above provides additional security to thatportion of 11iE-Business Suite that is internetfacing


30/31


Thank you!

James J. [email protected]

www.solutionbeacon.com

Real Solutions for the Real World.

Questions and Answers
mailto:[email protected]://www.solutionbeacon.com/http://www.solutionbeacon.com/mailto:[email protected]


31/31

Watch for our new book:

Installing, Upgrading andMaintaining Oracle E-

Business SuiteApplications 11.5.10.2

Its coming THIS YEAR!

Sign Up For the SolutionBeacon Newsletter at

www.solutionbeacon.com

so youll be notified whenits available!
http://www.solutionbeacon.com/http://www.solutionbeacon.com/

apache proxy server

Documents